1727c1118577056d09712eecd4b049dbbda7bf7bd67f0e08525416009316fe62

General

Target

9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe
Size

12KB
MD5

9ee793dbd161bbfd3dcf98cf54bb0fb0
SHA1

8a78ec9e54995126ce9ebdb6c1dcd8630ddece5e
SHA256

1727c1118577056d09712eecd4b049dbbda7bf7bd67f0e08525416009316fe62
SHA512

2b4dc2d9059359f1d28737b6887e43e6a42bd48f34554181e8bb1fbf86625bd06e284162aad043fc6971443ee8d918be091008163568c1dbbfa6a1995b96b798
SSDEEP

384:EL7li/2zyq2DcEQvdQcJKLTp/NK9xaSn:SKMCQ9cSn

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2568	tmp9FBA.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
2568	tmp9FBA.tmp.exe

Loads dropped DLL 1 IoCs

pid	Process
1300	9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1300	9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 2116	1300	9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe	28
PID 1300 wrote to memory of 2116	1300	9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe	28
PID 1300 wrote to memory of 2116	1300	9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe	28
PID 1300 wrote to memory of 2116	1300	9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe	28
PID 2116 wrote to memory of 2916	2116	vbc.exe	30
PID 2116 wrote to memory of 2916	2116	vbc.exe	30
PID 2116 wrote to memory of 2916	2116	vbc.exe	30
PID 2116 wrote to memory of 2916	2116	vbc.exe	30
PID 1300 wrote to memory of 2568	1300	9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe	31
PID 1300 wrote to memory of 2568	1300	9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe	31
PID 1300 wrote to memory of 2568	1300	9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe	31
PID 1300 wrote to memory of 2568	1300	9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe	31

C:\Users\Admin\AppData\Local\Temp\9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\41burnxz\41burnxz.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA41C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92A6CC09FA264F59BF45265FE6FA712.TMP"
    3⤵
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp.exe" C:\Users\Admin\AppData\Local\Temp\9ee793dbd161bbfd3dcf98cf54bb0fb0_NeikiAnalytics.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\41burnxz\41burnxz.0.vb

Filesize
2KB

MD5
5cf9351a28cfef4999c1e050f4d6930f

SHA1
d975e7507c916ea3ca07a2a146c0b14748f26e7a

SHA256
01bc918373cedf2f5e67e7ce864b2340a8ee62962c0febb8bbc20e1e04386e9f

SHA512
34c11260f1934262b7f25ec514ff75b0abd60c8ca3aae7b0e34cf2cb10a2849c65886ac3a640f335141ba2fb975d99e0f1fd597e6b9e71c497ee609f1cbee3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\41burnxz\41burnxz.cmdline

Filesize
273B

MD5
f28da3624e5a9b8e7d64a394d341ad79

SHA1
80c6ea21b71aac53639a7b22ab603bec8449ab6f

SHA256
76e9bfacb5f607acdf5304d4ac66c1d82d4f0269e5589ac8607295012f443dee

SHA512
6814343e8d62b07631e451ebe611b6ff4d9dcffc0808018ab3251a6fc716528f06e16275494f0fd5c41bb2ca87659bc83e5e0555887e416b241e31c3b7f945f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE.resources

Filesize
2KB

MD5
7c26941881b8e63cac1920fe2ee15119

SHA1
b8f481d95837564128031f9f82c09f829aa6be84

SHA256
a686e2db1813850e9ec32a65dd662d4d9ee2dd40a2a25841e13e209ea84ebb9d

SHA512
d679bbe5c61d84f67c519abd7a7d6904f97b57edfa4b3769ae451be49c21543b6c2ce2149caf4b3d44359c162b63582340ec4084a3d9ad9736b14352904c3497

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA41C.tmp

Filesize
1KB

MD5
e008f34f9bb6b753f75e2bd3da400368

SHA1
6097d38e615f26ea1cba5ce2df92a703e9d3b0da

SHA256
4205c43794b76f79bab59f92676d059b13af7c7fab4a5f61a285f8ed873acd1b

SHA512
d00d6ee89078ee12c9ad67b66fec642de856052058b4d7c28c2ced00ed6526aa706ea70c973ca5471fbd5de9a8d10dbc7edab653ef9a71a82848dafbe0aaaf0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9FBA.tmp.exe

Filesize
12KB

MD5
85d4ce0b34e54eafd9ba231363dd7df6

SHA1
1eb756cae0a1edeff8bf2d0a7971828494b98e5c

SHA256
7d22cd677e4e5c620fae0c9c3d58582d046191d8cb91b411f2f44fdf3ebf9561

SHA512
8c1f58f3ad84f4d9a44e98b5c0b1acb02420970dddde59fbfa52fdf60382f54d99ef463e753cd317636c3e4bbf5f33d7a723c6a4e53eda6f0b983b41a4d4c92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc92A6CC09FA264F59BF45265FE6FA712.TMP

Filesize
1KB

MD5
5798e2fe8ee6f585fec914a04858965c

SHA1
2569a8a0aa0d07c415a82ad879f1ef862f5582f6

SHA256
0ccd3357cb8d07c1d9ea445ed93560262c84fe0e8582c13a49acd59e040c87e2

SHA512
ee3391e84a53e285bcc95ee3cf636fcf91a4c571a11f20473ba5427460ba7d9df7f70b6e4c4eba3598d396bd47df20c6d6cfb5a371445d25c52eae0216bc2d9d

Download Submit
memory/1300-0-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

Filesize
4KB

Download
memory/1300-1-0x0000000000100000-0x000000000010A000-memory.dmp

Filesize
40KB

Download
memory/1300-7-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/1300-24-0x0000000073FF0000-0x00000000746DE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-23-0x00000000011B0000-0x00000000011BA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing